What does Brett Kavanaugh’s SCOTUS nomination mean for privacy?

When Justice Anthony Kennedy made the surprising announcement that he would be stepping down from the Supreme Court, the D.C.-centric pastime of court-watching went into overdrive, as politicians, pundits, and interested Americans recognized almost immediately that Kennedy’s retirement created the opportunity for President Donald Trump to have an extraordinary impact on the shape of the Supreme Court through appointment of a second justice during the president’s first term.

In recent days, there have been reports that Sen. Rand Paul, R-Ky., plans to support Brett Kavanaugh and that Sens. Susan Collins, R-Maine., and Lisa Murkowski, R-Ala., are likely to do so as well. With these key votes close to assured, it looks increasingly likely that, when the Senate returns from its August recess, the Judiciary Committee will hold hearings on Kavanaugh and, by the start of the Supreme Court’s October term, he could well be confirmed.

A great deal has already been written about Kavanaugh from a number of perspectives: his likely positions on abortion rights, the Affordable Care Act, and whether a sitting president can be held to answer to litigants in civil suits or indicted for a criminal offense.

Here, I want to offer a few thoughts on ways in which Kavanaugh, if he’s confirmed, could impact important dimensions of privacy law, specifically in the areas where the Fourth Amendment intersects with national security, and where the First Amendment intersects with technology.

First, national security. Kavanaugh is well known for his opinion in Klayman v. U.S., having ruled that the National Security Agency’s collection of bulk telephony metadata under Sec. 215 of FISA was both constitutional and supported by the government’s need to collect and analyze intelligence information for national security purposes in combatting international terrorism. Although many privacy advocates were appalled by the blunt assertions of Kavanaugh’s opinion, his reasoning fell well within the legal mainstream: It relied on the foundational 1979 Supreme Court case, Smith v. Maryland, which cemented the third-party doctrine in Fourth Amendment jurisprudence. Under this doctrine, individuals do not have a constitutionally protected privacy interest in information they have already given to a third party. Therefore, in Smith, the court held that the government’s acquisition of telephony metadata records from the phone company had not been a search and seizure that required a judicial warrant. Dozens of other lower court decisions in the FISC had previously reached the same conclusion Kavanaugh did: that Smith v. Maryland was squarely on point, and that using the statutory framework of the Foreign Intelligence Surveillance Act to support obtaining business records from phone companies did not violate the Fourth Amendment.

Since the Klayman opinion, we’ve seen the Supreme Court’s ruling in Carpenter v. U.S., a decision that is both a significant piece of Fourth Amendment jurisprudence and less consequential than many privacy advocates had hoped. In a less-than-decisive opinion, Kennedy explained that historical cell-site location information from mobile phone providers had the potential to be highly intrusive, describing in detail the precise whereabouts of an individual over time. The Carpenter opinion did not, however, overrule Smith v. Maryland, nor did it lay down a new bright-line rule that could be broadly applied to other cases involving third-party production of information. Kavanaugh’s deference to Smith v. Maryland while serving in a lower court doesn’t necessarily offer a clear view of how he might approach a similar case on the Supreme Court, where he would have the authority to argue for overruling long-standing precedent.

... Kavanaugh’s strongly stated support of NSA’s bulk metadata collection program makes it likely that he would continue to take positions that recognize there are legitimate government “special needs” to secure national security ...

Nonetheless, Kavanaugh’s strongly stated support of NSA’s bulk metadata collection program makes it likely that he would continue to take positions that recognize there are legitimate government “special needs” to secure national security and public safety and that, to the extent that government surveillance programs raise privacy concerns, those are policy questions that should be addressed by Congress and the executive branch of government, not by the courts.

The second major question for the privacy community is how Kavanaugh might deal with cases involving the privacy of personal data in the hands of technology companies. Here, the future – in general, as well as with respect to Kavanaugh in particular – is wide open.

It’s no secret that in the early days of free technology services – from webmail, to search, to social media – almost no focused legal or regulatory energy went into questioning whether there were privacy risks in the vast quantities of personal data that has been collected from individual users. The conventional wisdom was that a privacy notice and user consent (typically to an online form that consumers never read) was sufficient to ensure that consumer privacy rights and interests were protected – after all, the consumer could always choose not to use the service if he or she was uncomfortable with giving up their personal data.

In recent years, there’s been some intervention by the Federal Trade Commission under its Section 5 authority to regulate and take enforcement action against “unfair and deceptive” acts and practices. There have also been an increasing number of lawsuits against technology companies – particularly social media platforms – for their collection and use of consumers’ personal information. Their suits have involved a range of specific practices, including the use of facial recognition software, use of individual information to allow micro-targeting of advertising, sale of personal data to data brokers and other third parties.

Kavanaugh’s record overall indicates that he tends to take a generally dim view of governmental regulatory authority and tends to be solicitous of business interests.

Kavanaugh’s record overall indicates that he tends to take a generally dim view of governmental regulatory authority and tends to be solicitous of business interests. If those trends hold true for a Justice Kavanaugh considering Supreme Court cases involving consumer complaints against technology companies, it is likely that we could see a free-market approach to jurisprudence in his rulings, in which he takes the traditional view that consumers have free will to agree, or not agree, to any particular terms of service and privacy policy, and therefore that companies can be held liable if they violate their stated terms of service, but not for promulgating terms of service that are somehow deemed inherently unfair.

In other words, he might be willing to find liability for deceptive practices, but might set a high bar for plaintiffs or privacy advocates to show that a practice is unfair.

As a side note, one particularly interesting technology-related opinion by Kavanaugh came in the U.S. Telecom v. FCC case, decided last year. In Kavanaugh’s dissenting opinion on the D.C. Circuit Court of Appeals, he argued that the FCC’s net neutrality rules were unlawful on two grounds: they exceeded the FCC’s authority, and they violated the First Amendment rights of the internet service providers. As social media platforms face increased scrutiny over their use by foreign influence actors, conspiracy theorists, and others to promote a broad range of speech, it will be important to watch whether and how courts consider First Amendment arguments made by providers. In most of these cases, platform providers such as Facebook, YouTube, and others have argued that, under Section 230 of the Communications Decency Act, they are not publishers of information and cannot be held liable for the content posted by their users. However, given the significant pressure from legislative and regulatory bodies in the U.S. and other countries, along with ongoing litigation, it is possible that platform providers could begin to include a First Amendment dimension to their arguments: that they are not publishers under Section 230, but, even if they were, the speech on their platforms is protected by the First Amendment.

Kavanaugh’s net neutrality opinion raises a number of questions as to how he might rule in such situations. With the likelihood that the Supreme Court could hear cases in the upcoming five to ten years involving questions about the use of personal data, including the manipulation of personal opinions through using individuals’ own data to profile them, these First Amendment arguments could take on a new relevance and different nuance than what we’ve seen in the past.

With the likelihood that the Supreme Court could hear cases in the upcoming five to ten years involving questions about the use of personal data, including the manipulation of personal opinions through using individuals’ own data to profile them, these First Amendment arguments could take on a new relevance and different nuance than what we’ve seen in the past.

Of course, it’s notoriously difficult to predict what kind of approach a particular judge might take if elevated to the Supreme Court. The one thing we can confidently predict is that technology will continue to change at the rapid pace that we’ve seen over the past twenty years. Kennedy’s opinion in the Carpenter case is only the most recent example of this. Before 2007, smartphones didn’t exist in the current sense. Yet a mere decade later, they had sufficiently transformed modern life that the court recognized it had to consider privacy and intrusiveness of phone company records in a fundamentally different way than it had in Smith v. Maryland, a precedent that had withstood forty years of telecommunications evolution.

With that example in mind, it seems clear that, if Kavanaugh is indeed confirmed, the most important factors shaping his privacy-related rulings in the next ten, twenty, or more years may be how well he understands rapidly evolving technologies, and how he views their impact on individuals and society. An ecosystem in which government surveillance remains subject to significant regulation and private-sector data collection has relatively few constraints, the intersection between the First and Fourth Amendments, between individual liberties and corporate interests, will continue to become an ever-more-complicated area for legal analysis.

Comments

Related Stories

The views represented here are solely those of the author and do not represent those of the NSA or any other organization.
On March 1, I had the privilege of testifying before Congress. The House Judiciary Committee held a hearing on the reauthorization of Section 702 of the FISA Amendments Act, wh...

In a recent Privacy Tracker update on the European Commission’s newly proposed ePrivacy Regulation, Jan Philipp Albrecht, the member of European Parliament in charge of steering through the GDPR last year, was quoted as saying, “We know that intelligence agencies are applying blanket data collection...

The U.S. Supreme Court ruled in June that the government generally must have a warrant to gather location data from cellphones. The case followed an appeal filed by Timothy Carpenter after he was convicted of a series of armed robberies with help from cellphone data obtained by law enforcement witho...

Bloomberg BNA reports on the privacy track record of U.S. President Donald Trump’s Supreme Court nominee Brett Kavanaugh. In the United States v. Jones case, Kavanaugh determined an individual’s Fourth Amendment rights were not violated when law enforcement installed a GPS device on a suspect’s car ...

With U.S. President Donald Trump's nomination of Adam Klein to chair the historically dormant Privacy and Civil Liberties Oversight Board, it seems the board is once again inching toward reaching a quorum and becoming operational. Given the number of government agencies that remain unstaffed since t...

The IAPP is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define, support and improve the privacy profession globally.

The IAPP is the only place you’ll find a comprehensive body of resources, knowledge and experts to help you navigate the complex landscape of today’s data-driven world. We offer individual, corporate and group memberships, and all members have access to an extensive array of benefits.